lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 14 Sep 2021 01:22:28 +1000
From:   Mark Smith <markzzzsmith@...il.com>
To:     Lorenzo Colitti <lorenzo@...gle.com>
Cc:     David Ahern <dsahern@...il.com>,
        Rocco Yue <rocco.yue@...iatek.com>,
        "David S . Miller" <davem@...emloft.net>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>,
        Jakub Kicinski <kuba@...nel.org>,
        Matthias Brugger <matthias.bgg@...il.com>,
        Linux NetDev <netdev@...r.kernel.org>,
        lkml <linux-kernel@...r.kernel.org>,
        linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org, wsd_upstream@...iatek.com,
        rocco.yue@...il.com, chao.song@...iatek.com,
        Kuohong Wang (王國鴻) 
        <kuohong.wang@...iatek.com>,
        Zhuoliang Zhang (张卓亮) 
        <zhuoliang.zhang@...iatek.com>
Subject: Re: [PATCH] net: ipv6: don't generate link-local address in any addr_gen_mode

Hi Lorenzo,

On Mon, 13 Sept 2021 at 19:38, Lorenzo Colitti <lorenzo@...gle.com> wrote:
>
> On Mon, Sep 13, 2021 at 12:47 AM Mark Smith <markzzzsmith@...il.com> wrote:
> > This is all going in the wrong direction. Link-local addresses are not
> > optional on an interface, all IPv6 enabled interfaces are required to
> > have one:
>
> The original patch did indeed disable the generation of the link-local
> address, but that patch was rejected. It sounds like the right
> approach here is to provide two new addressing modes:
>
> IN6_ADDR_GEN_MODE_RANDOM_LL_TOKEN
> IN6_ADDR_GEN_MODE_STABLE_PRIVACY_LL_TOKEN
>
> which would form the link-local address from the token passed in via
> IFLA_INET6_TOKEN, but would form non-link-local addresses (e.g.,
> global addresses) via the specified means (either random or stable
> privacy). I haven't looked at how to do that yet though.

I think there is a broader issue here.

If RFC7217 is used to generate the Link-Local address, then the
likelihood of the Link-Local address being a duplicate with the GGSN
is very low, because RFC7217 uses a function such as SHA-1 or SHA-256.
RFC7217 also performs DAD just in case, and triggers RFC7217 again if
a duplicate does occur.

RFC8064 recommends RFC7217 for all stable IPv6 addresses by default
now, which includes Link-Local addresses.

Following RFC8064 by Implementing RFC7217 for all stable IPv6
addresses the Linux kernel generates would solve both the 3GPP's
duplicate Link-Local address concern, and also make the Linux kernel
compliant with the latest SLAAC recommendation for default IIDs and
stable IPv6 addresses.

Regards,
Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ